Uploaded by claudine.everitt

Sample BCM Policy

advertisement
Business Continuity Management
Policy
This policy sets out the arrangements for the XXX to ensure that critical services
are maintained and restored following a disruptive event.
1. Policy statement
1.1 XXX provides XXX services for XXX. The operational, financial, social
and political consequences of a major disruption to critical services would be
unacceptable.
1.2 This policy and its supporting documents aim to ensure that XXX has
arrangements in place to prevent, prepare for, respond to and recover from
a disruptive event so that critical business functions and services are
maintained at an acceptable level.
1.3 Senior executives (deputy secretaries, executive directors or directors)
are required to assess and manage the risks of disruption to critical business
functions for which they are accountable.
1.4 Senior executives accountable for critical business functions are
required to develop, maintain and test Business Continuity Plans (BCPs) at
least on an annual basis to ensure that essential services are maintained at
an acceptable level during a major disruptive event, and restored to full
functionality within an acceptable timeframe. This includes review of their
business impact analysis (BIA) to ensure all relevant critical business
functions are captured in their BCP.
1.5 Senior executives who are responsible for the delivery of one or more
critical business functions are referred to as the Business Continuity Owner
(BCO) of their BCP.
1.6 Each BCP must identify the senior executive(s) with the authority to
approve and activate (and deactivate) the relevant BCPs in the event of a
localised business disruption.
1.7 Each BCP must be approved by the BCO and their deputy secretary.
1.8 In the event of the disruption affecting a number of critical business
functions in multiple divisions and affecting the operations of Company X as
a whole, the Executive Director, Policy Coordination and Governance will
mobilise the Business Continuity Response Team (BCRT) to activate
Company X-wide Business Continuity Activation Plan (BCAP). The BCRT,
led by the appointed Incident Controller will prioritise and coordinate
Company X’s business continuity response and recovery efforts. Company
X-wide BCAP must be approved by the BCRT. The BCRT must activate
(and deactivate) Company X-wide BCAP in the event of a disruption that
affects the operations of Company X as a whole in accordance with the
BCRT Charter.
1.9 When a BCP is activated, senior executives must ensure that the
required people, information, facilities, assets and other infrastructure are
available to ensure business continuity and recovery. Staff must re-prioritise
their efforts to the delivery of critical business functions and services and the
recovery of normal business operations. The BCO must also advise
Corporate Governance (Policy Coordination and Governance Directorate)
when their BCP is activated as this may inform the activation of Company Xwide BCAP.
1.10 In the event that the incident endangers or threatens to endanger life,
property or the environment, emergency management always takes priority
over business continuity arrangements. BCPs are only activated once the
health and safety of staff and bystanders have been assured.
1.11 In the event of an emergency, Company X is required to implement its
Emergency Management Plans (EMPs), as required by Company X’s
Emergency Management guidelines. Emergency management is handled by
Company X’s Health and Safety Directorate.
1.12 In the event of an emergency affecting the operations of Company X as
a whole, the Emergency Planning and Response Committee (EPRC) will
coordinate Company X’s emergency response.
2. Audience and applicability
2.1 This policy applies to all business units with Company X.
3. Context
3.1 The Business Continuity Management policy is an essential element of
Company X’s broader corporate governance, and Enterprise Risk
Management framework.
3.2 This policy is supported by the Business Continuity Management
guidelines, toolkit and templates to assist with business continuity planning.
3.3 This policy and guidelines reflect the international standard for business
continuity management systems, ISO 22301:2012 and best practice.
3.4 The implementation of this policy is overseen by the Enterprise Risk
Management Group and the Audit and Risk Committee.
3.5 Staff also have responsibilities for identifying and managing risk under
Company X’s Enterprise Risk Management policy, and responsibilities
relating to health and safety, emergency response planning and incident
notification under Company X’s Work Health and Safety policy and Incident
Reporting policy.
4. Responsibilities and delegations
Secretary

ultimately accountable for risk management in Company X, and must attest
to X in relation to compliance with the eight core requirements of INSERT
REGULATION.
Executive Group

approve any substantial amendments to the existing Business Continuity
Management policy and guidelines tabled by the Deputy Secretary, Strategy
and Delivery.
Executive Director, Policy Coordination and Governance


approves amendments to the existing Business Continuity Management
policy and guidelines or where amendments are substantial, takes an
amended policy or guidelines to the Executive Group for approval via the
Deputy Secretary, Strategy and Delivery.
develops and maintains Company X-wide BCAP as the Business Continuity
Coordinator (BCC) for Company X-wide BCAP when the plan is not
activated.
Deputy Secretaries and Division Heads

o
o
o
o
o
demonstrate leadership and commitment to business continuity
management by:
communicating the value and importance of effective business continuity
management
ensuring that business continuity management and continual improvement
are integrated into risk management and business processes
ensuring that the resources needed for business continuity management are
available
ensuring that BCPs are developed and maintained
approving BCPs for their division.
Business Continuity Owners (Deputy Secretary, Division Head, Executive Directors
or Directors) (BCO)


build awareness of this policy, and the value and importance of business
continuity management
nominate a Business Continuity Coordinator (BCC) and ensure they have
the capabilities, training and experience for the role






undertake a Business Impact Analysis (BIA) and risk assessment to identify
the risks and impacts of disruptive events on critical business functions
implement preventative controls and prepare a BCP to manage a disruptive
event on critical business functions
ensure BCPs and the required resources are available where and when they
are needed, and are adequately protected against improper use
ensure staff are aware of their roles in the event of a major disruption
test and update BCPs (at least) annually
advise Corporate Governance Unit (Policy Coordination and Governance
Directorate) when their BCP is activated as this may inform the activation of
Company X-wide BCAP
Business Continuity Coordinators (BCC)

Nominated by BCOs as the liaison person for business continuity
management within each business unit. BCCs support BCOs to manage
disruption-related risks, including developing and maintaining the BCP(s) for
the business unit
Staff


ensure they are aware of their roles and responsibilities for business
continuity management and participate in any training required
when a BCP is activated, staff must re-prioritise their efforts to the delivery of
critical business functions and services and recovery of normal business
operations
Corporate Governance Unit (Policy Coordination and Governance Directorate)

o
o
o
o


establish and lead the implementation of Company X’s Business Continuity
Management policy including:
providing oversight across Company X’s BCPs, including the identification
and management of interdependencies
supporting BCOs and BCCs by providing high quality guidelines, tools
(including business continuity exercises to test the BCP) and training to
support good practice
reporting business continuity performance and compliance with this policy to
the Audit and Risk Committee
identifying and implementing continual improvements to the suitability and
effectiveness of business continuity management in Company X
monitor BCPs activated and advise the Executive Director, Policy
Coordination and Governance to mobilise the BCRT if the disruption affects
a number of critical business functions within multiple divisions
support the Executive Director, Policy Coordination and Governance in their
role as BCC for Company X-wide BCAP.
Business Continuity Response Team (BCRT)

The BCRT is comprised of members of the Executive Group.


The BCRT, led by the Incident Controller, prioritises and coordinates
Company X’s business continuity response and recovery efforts where the
disruptive event impacts a number of critical business functions across
multiple divisions
approves Company X-wide BCP and authorises the activation and deactivation of Company X-wide BCP
Incident Controller

appointed by the Secretary to lead the BCRT and coordinate departmentwide business continuity management activities. The Incident Controller will
be the BCC when Company X-wide BCP is activated.
Enterprise Risk Management Group

support the development, implementation and continuous improvement of
Company X’s Business Continuity Management policy and its application
within their divisions.
Internal Audit

provide assurance to the Secretary and the Audit and Risk Committee on
the effectiveness of the Business Continuity Management policy and
supporting processes.
Audit and Risk Committee

provides independent assistance to the Secretary by monitoring, reviewing
and providing advice about the Business Continuity Management policy,
supporting documents and processes
5. Monitoring, evaluation and reporting
requirements
5.1 The Executive Director of Policy Coordination and Governance is responsible
for monitoring the implementation of this policy, and reviewing it (at least) every
three years.
6. Contact
6.1 Chief Risk Officer